Why is Group Management so Painful?

Groups, we are told, make our lives simpler. Better. More secure. Everything should be managed by groups, so you can put users in them, and they get everything they need. This has been sage advice, retold around the security fires late at night for more than 20 years. So, if we’ve had more than 20 years to get this right, why is managing groups still such a pain?

Group Pains

One of the reasons is that very rarely in this industry do we get to start from scratch. There are different ways to organize and use groups, and most of the time we’re picking up where someone else has left off. They use groups one way, we need (or want) to use groups another way, and it gets messy for a while. In many cases, a while turns into forever, and then we hand off what we’ve been doing to someone else who now has 3 different ways to use and organize groups, result – layers of groups result.

Another reason that we have group headaches is that we need groups everywhere. Groups in AD or Entra by themselves don’t do the job. We need groups in AD, sure, but we also need groups in AWS, Salesforce, Workday, and so on. And, we also are likely to have multiple AD and Entra instances – test instances, prod instances, instances from mergers and acquisitions, shadow IT instances – many instances with many other places we need to manage groups. The traditional tools that sit in Entra and try to control from there simply can’t handle the complexity of modern computing.

A third reason this is so challenging is making decisions about who should be in what group isn’t simple either. The identity information we need is not in a single place, and it’s often not unified or clean by any definition. Our identity sources are extremely varied, from multiple HR sources like Workday, BambooHR, Peoplesoft, and others and connected to multiple user stores – Entra ID, On-prem AD, Google Workspace. Other information comes from databases, spreadsheets, and a whole bunch of other places. And with multiple sources comes multiple headaches – data is sparse in some, verbose in others, distributed amongst multiple databases, and it rarely remains consistent. AD has your title as “Tech Ninja” while Workday has “IT Guru” and Google has just “Techie”.

One final reason managing groups is a pain, is that they’re constantly changing. Some changes are good – people moving jobs, hiring new folks, people retiring, companies merging to get bigger and stronger, that sort of stuff. Each change means adjusting the membership of groups, creating new groups, and retiring old ones to keep the groups in order. But there’s also the other kind of change – folks with the rights to add people to groups manually making changes outside of your established process. Sometimes this is nefarious, with people trying to gain access to stuff they shouldn’t, but a lot of it is just the pressure of getting the job done. “This one time” they’ll do manually what they know they should do the right way, but they’ve got a lot to do and it’s a small change, and let’s just get this done shall we? Of course, “this one time” becomes “the only way to get it done” and it happens over and over, meaning your group membership discipline becomes a dream, with your groups loaded with who knows what.

In short, groups are a pain.

Finding a solution

So, group management turns out to be complicated, that much is clear and you probably already knew that. We need a solution that doesn’t require us to reorganize everything from scratch, that connects to and makes changes in all of the places where we have groups, and doesn’t need a single clean source of identity information to get the job done. We need it to be flexible to reflect the challenges of our particular business and we’d probably love some automation too so it can do as much of the heavy lifting as possible for us. It’s been more than 20 years, surely someone has built something like this?

The Answer

Well, it did take slightly more than 20 years since the advent of AD, but a true group management solution has recently emerged. Readibots has built a Group Manager application. This product creates groups and manages their members using a flexibly connector model that allows it to connect anywhere to gather the identity information it needs and also connect anywhere to create and update the groups it needs to manage. Every step has flexibility built into it so you can modify the behavior to reflect your specific business practices, and it comes with monitoring and drift detection on top of that so you can actively enforce your group policies across your business

Group Creation

First, the Readibots solution provides an identity-driven rules system that creates groups for you. These groups can be created anywhere – in AD, Entra, Google, AWS, Salesforce, Workday, Dropbox, Signal, Slack – wherever you need groups. The rules use identity attributes present in your identity sources – choose as many sources as you like to drive the right groups into the applications where you need them to be.

Group Membership

Then the Readibots solution provides identity-based controls that set the members of those groups. This once again uses your identity attributes to select and set the members of those groups, dynamically assuring that the rights folks in your business are in the groups they need to be in.

Group Monitoring

Once you have the right groups and the right members, Readibots Group Manager then wraps change management around them, detecting anyone added to or removed from those groups, including those changes driven from people or processes outside your process. Unwanted changes can be automatically remediated, alerted, or reported on. Put it in your SIEM if you need. You can constantly be sure that the groups have the right members, and when folks make changes outside of your chosen process, you’ll be aware of it. Add in a flexible remediation system that gives the ability to control how members are provisioned.

You can put away the Advil.
Your group headaches will be a thing of the past.